A network device that performs security functions, such as a firewall, is commonly used to protect networks, servers, and clients. A security function performed by a firewall on a flow of data packets passing through the firewall is Deep Packet Inspection (DPI). Often, DPI occurs at the application layer, i.e., layer 7, of the Open System Interconnection (OSI) model. Layer 7 DPI is generally resource-intensive because all of the data packets associated with a particular data packet flow need to be parsed down to layer 7 in real-time. On the other hand, experience shows that some reputable websites such as google.com and yahoo.com can be trusted, and thus a security-motivated layer 7 DPI on data packet flows from such websites may not be necessary. In such cases, performing layer 7 DPI wastes resources.
The network device may also gather data packets or portions thereof and store the gathered information to repositories for subsequent access by security-related analytics, reporting, forensics, and so on. In a packet data flow, to determine which data packets include information that should be stored to the repositories, e.g., to discover which packets include information deemed suspicious or that poses a security risk, the network security device generally performs DPI on all of the data packets, even though many may originate from reputable or trustworthy sources. Performing DPI on all of the data packets, including those from reputable sources, wastes resources.